chevron-down Created with Sketch Beta.

Business Law Today

March 2023

March 2023 in Brief: Internet Law & Cybersecurity

Juliet Marie Moringiello

March 2023 in Brief: Internet Law & Cybersecurity
spainter_vfx - stock.adobe.com

Jump to:

Employer’s Defense Against BIPA Class Action Lawsuits – Collective Bargaining Agreements

By Alan S. Wernick, Esq., Aronberg Goldgehn

In March 2023 the Illinois Supreme Court affirmed the decision of a Cook County Circuit Court of Appeal in a class action lawsuit concerning the Illinois Biometric Information Privacy Act (“BIPA”) (740 ILCS 14/1 et seq.). The decision examines how collective bargaining agreements, in light of Section 301 of the Labor Management Relations Act (29 U.S.C. §185) (“LMRA”), can provide a defense to a BIPA lawsuit and preempt BIPA claims by employees covered by a collective bargaining agreement (“CBA”). This article provides a brief review of this case and concludes with some thoughts for business leaders regarding defenses against BIPA claims. An article I wrote concerning the original February 2022 Cook County Circuit Court of Appeal decision is available at bit.ly/MIB_BIPA_Collective_Bargining_Agmts_202202.

BIPA and Collective Bargaining Agreements

The case resulting in the March 23, 2023, decision by the Illinois Supreme Court in Walton v. Roosevelt University, 2023 IL 128338, was brought to the court on an appeal from the February 22, 2022, decision in the Appellate Court of Illinois, 1st District, 2nd Division. The case was brought to the state Appellate Court from the state trial court upon defendant’s motion to reconsider an adverse ruling on defendant’s motion to dismiss or, alternatively, to certify a question for review by the Appellate Court. The trial court denied defendant’s motion to reconsider but did certify the question at issue in the case for appeal. The question certified for review was “Does Section 301 of the Labor Management Relations Act (29 U.S.C.[ ] § 185 [(2018)]) preempt [Biometric Information Privacy Act] claims ( 740 ILCS 14/1 [(West 2018)]) asserted by bargaining unit employees covered by a collective bargaining agreement?”

The state Appellate Court held that plaintiff (union employee) and his fellow unionized employees are not prohibited from pursuing redress for a violation of their right under BIPA to biometric privacy—they are simply required to pursue those rights first through the grievance procedures in their collective bargaining agreement rather than in state court. In essence, the Illinois Appellate Court determined that a union member–employee (plaintiff) “cannot bypass his union, his sole and exclusive bargaining agent,” to demand that the employer “deal with him directly” on the issue of biometric privacy. The Illinois Supreme Court affirmed the judgment of the appellate court and remanded the cause to the circuit court for further proceedings.

Similar to the Illinois Court of Appeals, the Illinois Supreme Court agreed with a ruling by the U.S. Court of Appeals for the Seventh Circuit in Fernandez v. Kerry, Inc., 14 F.4th 644 (U.S.C.A, 7th Cir. 2021), which held that unionized employees’ claims that their employer violated BIPA were preempted by the Labor Management Relations Act (29 U.S.C. § 185). The Illinois Supreme Court stated:

After reviewing both Seventh Circuit cases, we do not find the decisions in either Miller or Fernandez to be without logic or reason. [citation omitted] Given the language in the CBA and the LMRA, it is both logical and reasonable to conclude any dispute must be resolved according to federal law and the agreement between the parties. Therefore, in answering the certified question before us, we defer to the uniform federal case law on this matter and find that when an employer invokes a broad management rights clause from a CBA in response to a Privacy Act claim brought by bargaining unit employees, there is an arguable claim for preemption. Accordingly, because we do not believe the federal decisions were wrongly decided, and here the CBA contained a broad management rights clause, we find Walton’s Privacy Act claims are preempted by the LMRA. We therefore answer the certified question in the affirmative.

(For a more detailed discussion of Fernandezsee my article “Biometric Information Privacy Act and Collective Bargaining Agreements” at bit.ly/BIPA_Collective_Bargining_Agmts_MIB_202109.)

Conclusion

Biometric devices are becoming ubiquitous in the workplace and elsewhere. As the Illinois BIPA (740 ILCS 14/5(c)) recognizes, “Biometrics … are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.” Biometric data harvested by biometric devices must be handled in compliance with applicable statutes and case law.

The interpretation of a CBA will determine, in part, BIPA liability, if any, for the union or employer. Employers and unions subject to a collective bargaining agreement under the Labor Management Relations Act (29 U.S.C. § 185 (2018)) (or the Railway Labor Act [45 U.S.C. §§151-164 and 45 U.S.C. §§181-188], if applicable) need to understand their compliance responsibilities when using biometric devices and the relationship to their employees’ (members’) rights, and the potentially significant liabilities under BIPA-type legislation. By way of example, without limitation, does the CBA clearly address the employer’s use of biometric data in the workplace, the necessary BIPA notices and consent, etc.?

The bottom line is that employers using, or planning to use, biometric devices (including, without limitation, timeclocks, facial recognition, etc.) in the workplace need to be aware of the applicable biometric privacy legislation (Illinois is not the only jurisdiction) and case law applicable to the jurisdictions where they do business and where their employees (and others interacting with those devices) reside. As the courts noted, unionized employees are not prohibited from pursuing redress for a violation of their right to biometric privacy; they are simply required to pursue those rights through the grievance procedures in their collective bargaining agreement, if applicable, rather than in court in the first instance. When speaking with your clients, be alert and proactive when you hear your business clients mention they are considering, or are, using biometric devices. 

    Editor